Phishing is todays leader, a subject which I'm sure you've heard a lot about but which is always worth a mention.
Phishing is a term used to describe cyber criminals trying to trick victims in to doing something by posing as legitimate organisations or people. This could be downloading malware disguised as an attachment, clicking on a malicious link, or getting financial details changed.
According to MetaCompliance 91% of all cyber-attacks start with a phishing email which is why it is so important to be aware of the tactics that these super social engineers use.
There are various different types of phishing which can take place on all of your devices, phone, and it doesn't have to be a smart phone, tablet, laptop or desktop. A number of terms are used to describe these methods. Phishing is generally used to describe attacks via email, whilst Vishing is used to describe attacks via the phone and Smishing via text message.
Apart from those general terms we also have more specific ones:
- Spear phishing – this is where publicly available information is used to make the messages appear more believable. Data breaches are a great source of this information as the details released are those which you would expect to be kept secret. For instance, if you received an email with your username and password in, you are likely to believe it.
- Whaling – this is like spear phishing in that it is very targeted but this time the criminals are either targeting senior leaders of the company (in the hopes that compromising their accounts will enable a higher level of authority and access to sensitive data) or will impersonate a senior leader to get an action to come about (such as sending a high value payment).
- Angler phishing – this is where cyber criminals use notifications or direct messaging within social media applications to entice someone to act, clicking a link for example.
- Pop-up phishing – this is where criminals place malicious code in the small notification’s boxes, called pop-ups. They can also use a web browsers notifications feature so when you visit a website and the pop up says that the website wants to show notifications, clicking the “allow” button downloads malicious code.
What you really want to know is how do you spot a phishing attack and what should you do about it? Criminals are getting more sophisticated in the campaigns that they are operating, and it can be very difficult to detect some of these, but there are a few things that might help you to spot a phish. Below are some ploys in general use:
- Urgency – “this has to be done NOW!”
- Authority – from CEO / senior member of staff – but is it their style or a unusual request?
- Mimicry – impersonation of a trusted individual or organisation
- Curiosity – “OMG! Have you seen this?”
You can also look out for:
- Grammar and spelling – does it make sense, is it addressed to you or “recipient”
- Email address – look at the full email rather than just the first name that you recognise
- Hypertext – review URL before clicking, ensuring you look at the whole of the URL.
What should you do?
Report it - If you think you have received a phishing email, then you need to report it. Your business should have a policy about this, and your staff should understand what they need to do, whether they have fallen victim or just received it. Your staff can be a huge asset in protecting your company against phishing attacks so empower them to question the communications they receive from everyone.
The NCSC has an add-in which you can use in business versions of Outlook to report phishing emails directly to them so that they can investigate and potentially remove the threat. This could also help to keep phishing in mind when staff receive an email, like a little nudge. It's free and should be a no brainer.
Next We thought we'd take a look at some specific industries and we have picked on Estate Agents to go first, although arguably, much of this could equally apply to several service industries including financial advisors and solicitors.
Estate Agents hold large amounts of personal data, much of which is financial and therefore has to be held for 7 years and this makes them vulnerable to data breaches (which of course applies to many other sectors). The data held will pertain to the purchase and/or sale of property. This will require details of payments, confidential client IDs, bank account details and the like. Nothing surprising there. I’m sure many hold this data securely and maybe even encrypt it. But they also upload such data to 3rd party sites to market properties, sometime more than one and that’s when human error can creep in. Internal mistakes are the biggest single cause of data breaches, and whilst malicious activity from cyber criminals is a reality, it falls somewhat behind the internal breach.
The Data Protection Act 2018 may be a subject to drive you into a coma. However it’s a really important subject that you need to have a good working understanding of. Why, I hear you ask? It’s all about that GDPR stuff isn’t it, not a problem now that we’ve left the EU. And even if there is a law, Data Protection doesn’t really affect us smaller organisations, it’s something the big companies have a problem with but we’re OK. Aren’t we? Well no, you’re not. Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’.
All organisations, regardless of size, must make sure the information is:
· used fairly, lawfully and transparently
· used for specified, explicit purposes
· used in a way that is adequate, relevant and limited to only what is necessary
· accurate and, where necessary, kept up to date
· kept for no longer than is necessary
· handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
This can become a really big financial issue. Rarely if ever is a single persons record lost, it's nearly always multiple records. There are now law firms offering no win no fee deals for people wanting to sue following a disclosure of personal data, and that's on top of any fine you might expect from the ICO.
I’ll never get tired of pushing security awareness training, of having solid processes and policies which are rolled out and that staff are fully aware of. That will sort out much of the potential for data breaches. There are of course other issues but the basic principle of understanding the risks you face and targeting your spend and resources on those specific risks, hasn’t changed since the proliferation of IT started 30 years ago.